1. Technical Field
The present invention relates to the protection of integrated circuits against attacks by error injection, and particularly to the protection of integrated circuits present in smart cards.
The present invention relates more particularly to a method for securing the reading of a memory.
2. Description of the Related Art
FIG. 1 shows an integrated circuit IC for a smart card or an electronic tag. The integrated circuit IC comprises a microprocessor central processing unit UC, one or more non-volatile memories MEM1 (ROM, EEPROM, FLASH, etc.), a volatile memory MEM2 (RAM), an encryption circuit CRYCT enabling the integrated circuit to authenticate itself during a transaction, and an interface circuit INTCT enabling it to communicate with external smart card or electronic tag readers (EXT). The central processing unit UC, the memories MEM1, MEM2 and the circuit CRYCT are linked together by a data bus DTB and an address bus ADB. The interface circuit INTCT can be of the contact type and comprise for example ISO 7816 contacts (clock, data, supply, ground contacts, etc.). The interface circuit INTCT can also be of the RFID contactless type (Radio Frequency Identification) and comprise an antenna coil RF or an antenna circuit UHF, modulation and demodulation circuits for modulating and demodulating incoming and outgoing data, a clock extractor circuit, etc.
The logic circuits present in secured integrated circuits such as integrated circuits for smart cards, are the subject of various attacks by frauds who try to discover their structure and/or the secrets they contain. They are for example cryptography circuits of DES, AES, RSA, etc. type, microprocessors programmed to execute cryptography algorithms, register banks containing secret keys, etc.
The most advanced hacking methods currently involve injecting errors in an integrated circuit during the execution of so-called sensitive operations, such as authentication operations or operations of executing a cryptography algorithm for example.
Such attacks, referred to as attacks by error injection or fault injection, can occur during so-called sensitive calculation phases, such as during phases of calculating an identification code or during the reading of an encryption key in a memory. They enable, in combination with mathematical models and from false results obtained intentionally thanks to glitches, a secret element such as an encryption key or a password to be defined, the structure of a cryptography algorithm and/or the secret keys the algorithm uses to be deduced, etc.
In particular, localized attacks involve introducing glitches at a determined point of the circuit, for example by means of a laser beam or an X-ray beam. A localized attack can concern the supply voltage, a data path, or the clock signal of the integrated circuit.
The ROM or EEPROM memory of a smart card which generally contains sensitive data or programs are particularly targeted by this type of attack. Although it is impossible to modify the content of a ROM memory, a glitch applied to the output stages or the address decoders of the memory can modify the value of a datum or of a program instruction at the time it is read in the memory or transmitted to the central processing unit.
To counter this type of attack, the possibilities have already been considered of storing, for each datum stored in the memory, control information calculated from the bits of the datum, and of checking every time a datum is read that the control information stored for this datum corresponds to the control information calculated from the bits of the datum read. According to the value of the datum read and the bits affected by the error injection, the control information calculated on the corrupted datum can correspond to the information that is stored for the datum read. Therefore this solution has flaws.